> ... Proper ACLs are the cornerstone of locking things down. It > doesn't matter how much you encrypt, if the user has read access > to the file then they will still be able to read it. I'd just like to second that, and thank you for pointing that out. People tend to focus on the wrong things with security; it doesn't generally matter how strong the lock may be, if you're not careful with the key! > ... You may get better mileage by giving only execute permissions > on CFM files. With W2k/IIS 5 you can give execute only rights > to a file. This will allow the user to interact with dynamic > pages but, doesn't give them read access to the file. I haven't > tested this but, this may solve the "source viewing" exploits > that have been plaguing HTTP servers. I've tested this, and it does in fact work. You can actually do this on IIS 4/NT 4 also, as long as SP 4+ has been applied, and the optional "advanced" file security interface has been installed. This optional install should be somewhere on the SP 4 CD. As I recall, I think you'll have to give the IUSR_MACHINENAME account the "read attributes" permission and give the CF service user account execute permission. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ------------------------------------------------------------------------------------------------ Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message with 'unsubscribe' in the body to [EMAIL PROTECTED]
